- Disclamair
- House Of Roman
------> 2.1 Assumptions
------> 2.2 Protections
------> 2.3 Quick Walkthrough
------> 2.4 Setting the FD to malloc_hook
------> 2.5 Fixing the 0x71 freelist
------> 2.6 Unsorted Bin attack on malloc_hook
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#-*- coding:utf-8 -*- | |
''' | |
DEF CON 2017 Quals - Godzilla (Reverse) | |
Timing attack on RSA decryption. | |
Based on http://www.cs.jhu.edu/~fabian/courses/CS600.624/Timing-full.pdf | |
Another solutions: | |
https://gist.github.com/nneonneo/367240ae2d8e705bb9173a49a7c8b0cd by b2xiao | |
https://gist.github.com/Riatre/caac24840b176cf843b3f66ad9a5eeaf by riatre |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import requests | |
import gevent | |
from gevent import monkey; monkey.patch_all(); del monkey | |
import random | |
import time | |
concurrent = 8 | |
delay = 0.5 | |
def get_user_agent(): |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# | |
# read/write access to python's memory, using a custom bytearray. | |
# some code taken from: http://tinyurl.com/q7duzxj | |
# | |
# tested on: | |
# Python 2.7.10, ubuntu 32bit | |
# Python 2.7.8, win32 | |
# | |
# example of correct output: | |
# inspecting int=0x41424344, at 0x0228f898 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
/*********************************** | |
* 威盾PHP加密专家解密算法 By:Neeao | |
* http://Neeao.com | |
* 2009-09-10 | |
***********************************/ | |
$filename="index.php";//要解密的文件 | |
$lines = file($filename);//0,1,2行 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
nc minbashmaxfun 1337 -v <<<$(python solve.py file dump_flag.sh ) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
# encoding: utf-8 | |
#flag{Seize it, control it, and exploit it. Welcome to the House of Storm.} | |
import itertools | |
from hashlib import sha256 | |
from pwn import remote, process, ELF | |
from pwn import context | |
from pwn import p32,p64,u32,u64 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* | |
config: KASLR + SMEP + RANDOM_STRUCT | |
In llseek, I only check whether the offset is smaller than file_size or not. | |
However, the image can be crafted by the attacker. After reversing the disk | |
layout of the image, the attacker can mount an image which contains a normal | |
file having file size 0x7fffffffffffffff. | |
With llseek, kernel memory read and write can be achieved. | |
But the implemented llseek only supports positive seeking, which means that | |
the attacker cannot access the data before the buffer of the file. | |
This creates certain difficulties. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pwn import * | |
context.bits = 64 | |
#libc = ELF('./libc-2.23.so') | |
libc = ELF('./libc-2.24.so') | |
main = ELF('./babyheap.dbg') | |
#main = ELF('./babyheap') | |
#dbg_file = './libc-2.23.debug' | |
def gdb_load_symbols_cmd(sym_file, elf, base): |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// | |
// Quick and dirty exploit for the "roll a d8" challenge of PlaidCTF 2018. | |
// N-day exploit for https://chromium.googlesource.com/v8/v8/+/b5da57a06de8791693c248b7aafc734861a3785d | |
// | |
// Scroll down do "BEGIN EXPLOIT" to skip the utility functions. | |
// | |
// Copyright (c) 2018 Samuel Groß | |
// | |
// |
OlderNewer